In-vehicle infotainment

In-vehicle infotainment (IVI) systems are complex computing platforms that integrate navigation, communication, entertainment, and vehicle status displays. In risk management, IVI is considered the primary cybersecurity attack surface of a vehicle due to its multiple external interfaces (e.g., Bluetooth, Wi-Fi, USB, cellular) and ability to run third-party applications. According to the ISO/SAE 21434 standard, the IVI system is a critical 'Cybersecurity Item.' A vulnerability could not only lead to data breaches (e.g., location history, contacts) but also serve as a gateway for attackers to pivot to the internal vehicle network (e.g., CAN bus), potentially compromising safety-critical functions like braking and steering. Consequently, UN Regulation No. 155 mandates that OEMs implement a Cybersecurity Management System (CSMS) that covers the IVI system to ensure risks are managed throughout its entire lifecycle.

Securing IVI systems in enterprise risk management follows the structured lifecycle process defined by ISO/SAE 21434. Key steps include: 1. **Threat Analysis and Risk Assessment (TARA):** Identify critical assets of the IVI system (e.g., user data, firmware) and analyze potential threat scenarios and attack paths, such as ransomware injection via a malicious USB device. The risk is then quantified by assessing the impact on safety, privacy, operations, and financials, along with the attack feasibility. 2. **Define Cybersecurity Goals & Requirements:** Based on high-risk findings from the TARA, establish specific cybersecurity goals, such as 'prevent unauthorized code execution on the IVI head unit.' This goal is then broken down into verifiable technical requirements, including implementing secure boot, code signing validation, and Role-Based Access Control (RBAC). 3. **Verification and Validation:** Conduct rigorous testing, including penetration testing, fuzz testing, and static code analysis on the IVI system. All test results and risk mitigation evidence must be documented to support vehicle type approval under UN R155. Leading OEMs using this process reduce high-risk vulnerabilities by over 95%, ensuring 100% compliance for market access.

Taiwanese enterprises, often Tier 1 or Tier 2 suppliers, face three key challenges in IVI cybersecurity: 1. **Complex Supply Chain Security:** Managing cybersecurity for software components from various sub-suppliers is difficult. ISO/SAE 21434 requires Cybersecurity Agreements, but a lack of auditing capabilities often prevents effective management of vulnerabilities within the Software Bill of Materials (SBOM). The solution is to implement standardized supplier security questionnaires and mandate the submission of complete SBOMs. 2. **Regulatory and Talent Gaps:** UN R155 and ISO/SAE 21434 are new, and there is a shortage of professionals with dual expertise in automotive engineering and cybersecurity. This can lead to poor-quality TARA. Partnering with external experts for workshops and training can build an internal team and standardized processes within 90 days. 3. **Insufficient Testing Resources:** The high cost of setting up automotive-grade security testing environments (e.g., Hardware-in-the-Loop) is a barrier for SMEs. Outsourcing testing or joining industry alliances with shared testbeds are cost-effective strategies to achieve necessary validation and ensure compliance.

Winners Consulting specializes in In-vehicle infotainment for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact